-
Notifications
You must be signed in to change notification settings - Fork 146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added support to specify tags in the config.yaml that will be applied to all resources deployed by TRE #3623
Conversation
… applied to all resources deployed by TRE
@microsoft-github-policy-service agree company="SOPHiA GENETICS" |
@jlabhard-sg approach looks good. I wonder if we can add anything to the terraform linter to ensure no services are missing the tags property. Look forward to it being ready for review. |
…eters to be applied to all azure resources deployed
The PR has been tested with the deployment of a fresh TRE, shared services, base workspace and linux VM. The tags were successfully applied to all azure resources whenever possible, and complied with Azure Policies that requires tags on all resources. I have looked into adding the tags to the terraform linter but it does not seem to support having the tags attribute, only having requirements for specific tags which is already in place. PR is now ready for review. |
@jlabhard-sg thanks, can you lint the terraform - |
/test-extended |
🤖 pr-bot 🤖 (in response to this comment from @marrobi) |
@jlabhard-sg can you resolve the conflicts please. |
/test-extended |
🤖 pr-bot 🤖
(in response to this comment from @marrobi) |
/test-extended 46d6e40 |
🤖 pr-bot 🤖 🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/5750094375 (with refid (in response to this comment from @marrobi) |
/test-extended 46d6e40 |
🤖 pr-bot 🤖
(in response to this comment from @marrobi) |
@marrobi The current failure of terraform lint happens because tags of resources in the management resource group do not include "tre_id". on
However, this is not something I have removed with this PR. The tre_id is also not a variable in the devops terraform so I'm not sure what should be done here. |
/test-extended 31ca5c5 |
🤖 pr-bot 🤖 🏃 Running extended tests: https://github.com/microsoft/AzureTRE/actions/runs/5763811429 (with refid (in response to this comment from @marrobi) |
@jlabhard-sg thanks for getting everything green test wise. I'll try to take a look at the PR this week, but will likely hold of merging until after the next release. Thank you. |
config.sample.yaml
Outdated
@@ -76,3 +76,6 @@ developer_settings: | |||
|
|||
# Used by the API and Resource processor application to change log level | |||
# debug: true | |||
|
|||
# Specify here tags that should be applied to all resources deployed by the TRE in JSON string format | |||
# tags: '{"tag_key":"tag_value"}' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add this to the docs, https://microsoft.github.io/AzureTRE/v0.13.0/tre-admins/environment-variables/,
Can you also update the CHANGELOG.md file please.
Noticed this page needs updating to explain how config.yaml
maps to ENV vars etc. Will create a separate issue for that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added this to the docs, can you verify it's correct. Thanks.
@jlabhard-sg got an issue where tags aren't being updated for existing resource, I think this is due to:
being set on some (not all resources) The reason this was added was so that we didn't replace corporate tags applied by Azure policy - hence a lot of TF churn on each TF deploy. We could remove this, but it does also make me think, should these TRE wide tags be being applied via Azure policy rather than the TRE? How does it work in your organisation? My thinking at the moment is remove the ignore changes (that is typically a bad thing), and orgs need to add the corporate/policy applied tags to your new variable to prevent churn. |
Removing the ignore tags is going to create issues on subscriptions where a higher level policy is used. For example, we have one that assigns an "creator" tag for each resource upon creation. |
Hmm, maybe a better solution is an Azure Policy that assigns tags based on Or alternatively we allow the tags to ignore to be specified in another variable. |
In our organization the Azure policy prevents the resource from being created if it does not include the necessary tags. I think this is due to the values of the tags being the responsibility of whoever creates these resources. In this case, I don't think tags automatically applied by an Azure policy would function. In our case, the ignore changes is not an issue since the policy affects only resources on creation. If it is an issue here I am not sure what the best solution is. |
If the tags variable is updated after initial deployment the changes will not take affect on the core deployment. I guess we could caveat that updates are not supported. I think the more complete solution would be to have
I'm not sure if variables can be used in lifecycle attributes though. @tamirkamara thoughts welcome. |
Nope, not possible. hashicorp/terraform#24188 |
@jlabhard-sg how would you deal with the scenario "Now we need all resources to have this new tag?" I think a policy might be abetter way forward I'm afraid, we could still add this to the TRE project to apply tags based on TRE_ID, although expect it would be relatively easy to do manually.
https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects#order-of-evaluation |
@marrobi Would this policy be created by the TRE/terraform, or is that something that should be created manually by our organization? I am a bit worried that the scope of the project would not have the necessary permission to create new policies. It is true that the scenario could be an issue in the future. Would it be possible to have a boolean variable determine whether the terraform should ignore tags or not? |
It would be created by Terraform at subscription scope. I've been having a look to see if I can make it work... this is my current WIP |
@jlabhard-sg this seems to work for me... are you ok to give it a go in your environment with the policy that blocks without certain tags?
I reverted the change in
and added a dependency to the core RG in
Let me know if you can give it a go, and also the results. Lets leave the PR here until we know. Thanks. |
I also note we haven't got ignore changes on all resources with tags defined. :/ |
@marrobi Yes I will try to test the deployment tomorrow using this policy file instead of directly adding tags |
@jlabhard-sg @tamirkamara I've created to PR here #3670 to add the missing lifecycle changes blocks (with a bit of help from GitHub copilot!) |
@marrobi I've tested the deployment with the azure policy in the terraform and it seems to work, policy is complied with and did not encounter any permission issue. I think this the the way to go. However, in our case, it is necessary to have the policy in the management resources terraform ( Specifically what I did:
If there is no issue, I can adapt the PR with these changes, adding the policy to the management resources, and removing the custom tags to all resources terraform. |
@jlabhard-sg why do you need it in the Initially the idea was multiple environments might share the same ACR and storage account, but in reality not sure that is the case anywhere. I don't see any real reason why policies couldn't go there, have you tagged the management resources with the The other option is we do nothing, and say tagging policy is outside the remit of the repository, but we could provide an example in the docs on how to do it. |
@marrobi Because the policy that requires the tags also applies on the management resources. The resource group and storage account could be created manually as they are then imported to the state, but the ACR is not. Doing nothing is also an option. the azure policies as they are defined here is not something that is necessary in either the core or devops terraform since it is at subscription scope. We could match it to something other than the Let me know what you think is the best approach. I actually didn't consider using policies to apply tags but it seems to solve the issue without needing changes to the repository. |
Thanks, its actually similar to this one: #50 The management resources should probably have tags. @tamirkamara can you think of any reason why they shouldn;t be tagged with I'm in two minds about including the policies. It would make it easier for organisations to get up and running - and people to want these things to work "out of the box", but is policies might also need tweaking to meet an organisations needs. |
We don't use |
I think there are two separate issues in play here. "how should we handle tagging", and "does the management resource group need a rethink". The latter needs a separate issue and longer discussion - for now you could tag in a policy filtering on the management resource group name. Given you have a workaround, as much as I would like to get the PR in as you have put in effort, I think adding notes to the original issue might be the easiest next step, then if want to revisit later we can. We do need to get the ignore changes to tags PR in #3670 , otherwise TF is going to keep trying to remove any tags applied by policy. |
Resolves #417
What is being addressed
We need all resources deployed by TRE (included management) to include specific tags upon creation to comply with corporate tagging policies.
Important: The current PR contains a draft implementation that solves this issue. It is not fully complete and has not been tested yet.
How is this addressed
config.yaml
file in a newtags
field.'{"tag_key": "tag_value", "tag_key2": "tag_value2"}'
, similar torp_bundle_values
/devops/terraform/bootstrap.sh
directly in the command to create the resource group and storage account. This is done to comply with policies upon creation of resources.tre_core_tags
which is already applied to resources. Extension to modules is also considered.shared_services
,workspace_services
,user_resources
, andworkspaces
:tre_shared_service_tags
,tre_workspace_service_tags
,tre_user_resources_tags
,tre_workspace_tags
)porter.yaml
andparameters.json
files have been updated for each template